Android NFC Hack Allows Free Ride on US Subways

Where there are systems for financial transactions, there will always be opportunities to skirt those systems, and that holds true for NFC transactions, too. Researchers have already demonstrated a hack for Android NFC that lets them refill fare card balances for transit systems, including subways, in two states.

The key to the hack is UltraReset, which was developed by researchers Corey Benninger and Max Sobell at Intrepidus Group. The researchers used the app to successfully refill balances on fare cards in New Jersey and San Francisco, using the app on Android phones that have NFC capabilities. Using a legitimate transit card, they simply stored the balance via the app, used up the balance, and then returned the balance to the NFC-based card. They haven’t tested other transit system that use NFC, but suggested that Boston, Chicago, Salt Lake City, and Seattle are among those that might be at risk to this sort of attack.